S3 Bucket Should Not Allow READ Access to Authenticated Users

​

More Info:

S3 buckets should not allow READ access to AWS authenticated users through ACLs n order to protect your S3 data against unauthorized access.

​

Risk Level

Medium

​

Address

Security

​

Compliance Standards

CBP, AWSWAF, PCIDSS, NIST

​

Remediation

​

Using Console

Sure, here are the step-by-step instructions to remediate the issue in AWS:

1. Log in to the AWS Management Console and navigate to the S3 service.

2. Select the S3 bucket that is allowing READ access to authenticated users.

3. Click on the “Permissions” tab and then click on “Bucket Policy”.

4. In the Bucket Policy Editor, remove any statements that allow authenticated users to read from the bucket.

5. You can use the following policy to deny read access to authenticated users:

{
    "Version": "2012-10-17",
    "Id": "DenyReadAccessToAuthenticatedUsers",
    "Statement": [
        {
            "Sid": "DenyReadAccess",
            "Effect": "Deny",
            "Principal": {
                "AWS": [
                    "*"
                ]
            },
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalType": "AuthenticatedUser"
                }
            }
        }
    ]
}

6. Replace “bucket-name” with the name of your S3 bucket.

7. Click on the “Save” button to apply the new policy.

8. Verify that the policy has been applied correctly by attempting to access the S3 bucket as an authenticated user. You should receive an error message indicating that you do not have permission to access the bucket.

That’s it! You have successfully remediated the misconfiguration in AWS S3 bucket.

​

Using CLI

To remediate the misconfiguration of S3 bucket allowing READ access to authenticated users in AWS using AWS CLI, follow the below steps:

1. Open the AWS CLI on your system.

2. Check the current bucket policy of the S3 bucket using the following command:

   aws s3api get-bucket-policy --bucket bucket-name
   

   Replace bucket-name with the name of the S3 bucket.

3. If the current policy allows authenticated users to read the bucket, then create a new policy that denies the read access to authenticated users. You can create a new policy using the following JSON code:

   {
     "Version": "2012-10-17",
     "Id": "DenyReadAccessToAuthenticatedUsers",
     "Statement": [
       {
         "Sid": "DenyReadAccess",
         "Effect": "Deny",
         "Principal": {
           "AWS": [
             "*"
           ]
         },
         "Action": [
           "s3:GetObject"
         ],
         "Resource": [
           "arn:aws:s3:::bucket-name/*"
         ],
         "Condition": {
           "StringEquals": {
             "aws:PrincipalType": "AuthenticatedUser"
           }
         }
       }
     ]
   }
   

   Replace bucket-name with the name of the S3 bucket.

4. Apply the new policy to the S3 bucket using the following command:

   aws s3api put-bucket-policy --bucket bucket-name --policy file://policy.json
   

   Replace bucket-name with the name of the S3 bucket, and policy.json with the name of the file containing the new policy.

5. Verify the updated bucket policy using the following command:

   aws s3api get-bucket-policy --bucket bucket-name
   

   Replace bucket-name with the name of the S3 bucket.

After following these steps, the S3 bucket will no longer allow READ access to authenticated users.

​

Using Python

To remediate the misconfiguration “S3 Bucket Should Not Allow READ Access to Authenticated Users” for AWS using Python, you can follow the below steps:

Step 1: Install and configure AWS SDK for Python (Boto3) on your local machine.

Step 2: Write a Python script that uses Boto3 to update the S3 bucket policy to remove the read access for authenticated users. Below is an example code snippet:

import boto3
import json

# Initialize the S3 client
s3 = boto3.client('s3')

# Specify the bucket name and policy
bucket_name = 'your-bucket-name'
policy = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyReadAccessToAuthenticatedUsers",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:GetObjectVersion",
                "s3:GetObjectVersionAcl"
            ],
            "Resource": [
                "arn:aws:s3:::{}/*".format(bucket_name)
            ],
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalType": "AuthenticatedUser"
                }
            }
        }
    ]
}

# Convert the policy to a JSON string
policy_json = json.dumps(policy)

# Update the bucket policy
s3.put_bucket_policy(Bucket=bucket_name, Policy=policy_json)

Step 3: Run the Python script on your local machine to update the S3 bucket policy.

Once the script is executed, the bucket policy will be updated to deny read access to authenticated users.

​

Additional Reading:

• https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-overview.html